Consider the following scenario:
You have some database availability groups (DAGs) in a Microsoft Exchange Server 2010 environment.
You create a management role assignment in the environment.
You assign management roles to a role assignee.
You define the scope of the role assignment to a member mailbox server in a DAG.
The role assignee tries to make some changes to another DAG that is outside the scope of the management role group by using one of the following cmdlets:
In this scenario, the role assignee can unexpectedly change the DAG successfully.
This issue occurs because there is no Role Based Access Control (RBAC) scope validation when Exchange Server 2010 runs *-DatabaseAvailabilityGroup cmdlets.
To resolve this issue, install the following update rollup:
2785908 Description of Update Rollup 5 version 2 for Exchange Server 2010 Service Pack 2
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
For more information about management role scopes, go to the following Microsoft website:
Understanding management role scopesFor more information about the New-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the New-DatabaseAvailabilityGroup cmdletFor more information about the Set-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Set-DatabaseAvailabilityGroup cmdletFor more information about the Remove-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website:
General information about the Remove-DatabaseAvailabilityGroup cmdletFor more information about the Stop-DatabaseAvailabilityGroupcmdlet, go to the following Microsoft website:
General information about the Stop-DatabaseAvailabilityGroup cmdletFor more information about the Start-DatabaseAvailabilityGroup cmdlet, go to the following Microsoft website: